Playing the blame game: Breaking down cybersecurity attribution

Attributing the adversary behind a cyber attack ranks as perhaps the hardest challenge in all of cyber security, well beyond securing networks from intrusions, for the simple reason that bits are simply bits and do not belong to any single person. In other words, I can flawlessly copy any digital content including malware and other attack exploits and re-use it without leaving behind my personal fingerprints. Furthermore, I can leverage existing infrastructure or other people’s machines I’ve compromised to run my attacks from someone you might be inclined to blame for political reasons to exploit the confirmation bias people inherently have.

Nonetheless, many private firms and security researchers are quick to reach a conclusion on who is behind an attack based on code and infrastructure re-use, as well as the tactics, techniques, and protocols (TTPs) they have previously ascribed to bad actors with cute names. The methods typically would not pass a court of law’s evidentiary standards, but are good enough for Twitter.

The intersection of cyber with real-world geo-politics has raised the stakes significantly for cyber reindeer games. The possibility of inaccurately attributing a person, group or country for an attack could lead to grave repercussions on a global scale.

With the 2016 Presidential Election now in the review mirror, and new intelligence being leaked that Russian intelligence agencies under the direction of Putin launched a coordinate campaign of influence to elect Donald Trump, the stakes on correct attribution could not be higher. President Obama has mandated an investigation with public release into the involvement of the Russian government in interfering with the U.S. Presidential election. Congress may form its own independent inquiry as well.

The new Administration may be under tremendous pressure to act decisively even though they may have benefitted from the interference. In the absence of a framework for response, the results may portend an escalation of cyber war and other sanctions against Russia or Russian leadership. On the other hand, the absence of a response will signal other adversaries the US can continue to be manipulated with impunity.

On the brink of a Cyber War, how can the U.S. government accurately attribute cyber attacks so we don’t end up with another “slam dunk” moment but have no actual evidence of culpability?

Because of the inherent challenges with attribution from code itself, attribution must leverage different methods to prove or disprove a particular adversary as being potentially responsible using established techniques of creating a preponderance of evidence beyond a reasonable doubt. Three such methods include: code analysis, all source intelligence, and offensive cyber collection.

Read the code

Most security researchers start with the code with the premise that organizations re-use their code across multiple targets. While this is certainly true, adversaries are as lazy as anyone else and they will re-use other people’s code. Furthermore most attacks use common exploit kits available to anyone with $500 to spend.

On the other hand, if you can identify unique signatures of the code, such as the compile chain, options used to compile, language sets, time and date stamp – meta data about the code that are sometimes harder to obscure – this can serve as an indicator to a particular adversary. A solid example of this is the code analysis of the library of 1000 executables attributed to the North Koreans in Operation Blockbuster. By applying machine learning, we were able to attribute code samples back to that body based on learned characteristics. Likewise, analyzing the code samples collected in Operation Cleaver, attributed to the Iranians, revealed meta code signatures across 160 executables that caused the samples to cluster tightly using machine learning algorithms.

Finally, code or network packet traces can reveal the command and control infrastructure used by malware. Command and control is often re-used within a campaign across a number of targets. When one attack is attributed, seeing the same command and control infrastructure re-used in another victim is a strong indicator of the same adversary.

Gather multiple intelligence sources

Aside from the code, there are other intelligence indicators that can be helpful in establishing the provenance of the attack. For example, it is widely believed the North Koreans were attributed by the US Government in attacking Sony Pictures Entertainment by signals intelligence, e.g., intercepting phone calls.

Another tried and true method is human intelligence, whether spies in a regime, or participating in underground dark web groups under an alias. Hackers often brag about their exploits in online underground forums. Unpacking braggadocio can give invaluable insight into a suspected adversary. Law enforcement can often turn a suspect through threats of jail time to reveal the identities of the actual perpetrators. Bragging rights tend to win over anonymity in these situations.

Go on the offense

This method is less often discussed, but is often used by the intelligence community to confirm a suspected adversary. Going on offense against a suspected adversary does give you the opportunity to compromise their assets and look for signs they were behind the attack. This might include attack tools used in the victim with identical signatures, captured documents, and of course correspondence with people directing operations. The hack back is fairly reliable and often the perpetrators are as vulnerable to attack as their victims are.

Combining all source intelligence with law enforcement means can make a uch stronger case for attribution. Unfortunately, the Government often cannot release the details of these operations without burning their sources and methods, so the opacity of their methods often does not sit well with security researchers.

Overall, how can we be sure cybersecurity attribution is accurate?

It’s important to realize that attribution is probabilistic. Private firms, intelligence groups, and law enforcement are looking at the collected evidence and use it to draw conclusions as to who the adversary likely is. However, it is hard to reach the “slam dunk” level of certainty even with the preponderance of evidence.

The US Government is well suited take on the task and responsibility of assigning attribution, as the intelligence and law enforcement communities have the special access and authorities needed to gain additional evidence often not available to private sector firms. Once they are sure, making a statement or calling out and taking a proportionate response to a hacking group or nation-state is an effective method to let the world know we will not tolerate this type of breach or interference.

While the USG is in the best position to gather intelligence, the private sector can assist with this greatly with the body of evidence they have collected on known adversaries and the novel algorithms such as machine learning that can be used for identifying likely suspects.

Time will tell if and when the U.S. will retaliate against interference in the US election or if this event will pass unpunished. The world will be watching too. We cannot afford another Gulf War sized error, nor can we afford to let serious crimes go unpunished. This will be the challenge the next Administration will face.